The U.S. government is hindering, not helping, reduce OT cyber risk in the 1- to 3-year timeframe
I’ve been frustrated with the mountains of operational technology (OT) security guidance and regulations coming from CISA and other U.S. government agencies. Most, but not all, of it is not wrong. It is documenting a large and growing set of OT security good practices. The frustration is a large amount of their recommendations and projects will have negligible impact on an asset owner’s or society’s OT cyber risk.
Even worse, the gems in this large mound of rocks get lost. The actions that could make a difference in the next 1-3 years are fighting for attention and resources with the feel good, check mark, almost no-impact security controls. And I must mention that the lack of attention to consequence reduction is a huge miss. For example, the small and medium water sector should spend 80%-plus of their OT cyber risk reduction resources on consequence reduction.
There has not been a shortage of solid and near-comprehensive OT security guidance prior to the U.S. government. There’s ISA/IEC 62443. There are numerous training programs and white papers and webinars. The failure to make more progress in OT cyber risk the last 15 years has not been due to a lack of information.
The lack of progress can be blamed on a lack of awareness of OT cyber risk — an area in which the U.S. government and other hysteria has made great progress — and a lack of focus on actions that will maximize OT cyber risk reduction. The U.S. government gets failing grades on the later, and continues to make this worse.
Every additional feel good, not wrong security control that doesn’t make a big dent in OT cyber risk takes away from a security control or consequence reduction action that does.
When I have a chance to interview a U.S. government leader, I ask them how they are measuring the success of their programs that get more funding year after year. I’ve yet to get an answer. To date, the metric seems to be the number of guidance documents, the number of new programs and the net promoter score of CISA. The latter may be at an all-time high by the broader population and a low in the most experienced OT security community. Perhaps CISA and other sector agencies are making a positive impact outside of OT — information technology (IT), voting, state and local government. It is admittedly a very large and difficult job that somehow Congress and many think tanks believe should be even larger.
The U.S. government is helping reduce cyber risk in the 10- to 15-year timeframe
I’ve made the mistake of letting my disdain for U.S. government actions aimed and claimed at having a near-term impact cloud my analysis of the long-term impact of certain government efforts. To be clear, the long laundry list of recommendations is having a negative impact in the short term, and this will continue, if not changed, in the medium and long term.
There are two positive examples of where U.S. government action will have almost no impact in the near term and a large positive impact in the 10- to 15-year timeframe: medical device security and software bill of materials (SBOMs). While the messaging doesn’t reflect that they will have minimal impact on OT cyber risk for years, it is smart to start.
The birth of industrial control system (ICS) security began with the 9/11 attack in 2001. While a few pioneers were working before then, planes flying into buildings led many to think what other rarely considered attacks could have a major impact. It didn’t take long for those in the automation industry to identify the lack of authentication for control and administrative commands sent to controllers, programmable logic controllers (PLCs) and remote terminal units (RTUs).
When this was brought up, the almost universal reply was that it will take decades to add authentication to these Level 1 devices. A decade later, it hadn’t started, and this led to Project Basecamp in 2012. Even after Project Basecamp, it was another five years before serious work began on adding security to a few industrial protocols. Products with secure industrial protocols are now available, although asset owner use is still small. As is the prioritization given to this issue by government and industry leaders.
Imagine where we would be in 2023 if the U.S. government had said in 2005 that beginning in 2007 we will only purchase Level 1 devices that have an authenticated industrial protocol.
At the end of 2022, the PATCH Act provisions were included in the omnibus spending bill. They gave the FDA authority to require medical device manufacturers to provide an SBOM and have a vulnerability management program, including disclosure, providing patches, etc.
This new regulatory authority will have little impact on health care cyber risk for decades. The overwhelming majority of health care cyber incidents and related impact today are caused by ransomware. There is scant evidence that providing SBOMs and patching medical devices would lessen these incidents and impact, which mistakenly led me to brush this aside as more security theater with little impact. There will be a small impact in three years, more in five years, and in 10-15 years we may see a majority of medical devices in use with a much-improved security posture.
Similarly, I have underappreciated the U.S. government’s growing requirements for SBOMs. They are not in a position to use them. They are overwhelmed trying to keep up with the top-level products let alone the components. I viewed it as a feel good paper exercise that was wasting resources that could have been applied much better to achieve cyber risk reduction.
Looking at this requirement with a 10-year lens, it could have a big impact. Not because in 10 years the U.S. government (or industry) will make great use of these SBOMs. The impact will come based on how this will drive vendor development teams to better understand and manage their supply chain and development process to address, and limit growth of, their technical debt.
Thanks to those who are looking at OT cyber risk with a long-term lens and with focus on one thing that can make a difference. The potential problem is most who do not live in this OT security world believe these programs will have a short-term impact on OT cyber risk based on the messaging. They won’t.
Cynically, I guess the good news is there are no metrics for success other than an activity occurring.
Original content can be found at Dale Peterson.